1.  Introduction
The practice of falsifying the identity of the sender of an e-mail
message, commonly called "spoofing", is a prevalent tactic used by
senders of unsolicited commercial e-mail, or "spam".  This form of
abuse has highlighted the need to improve identification of the
"responsible submitter" of an e-mail message.

1. はじめに

電子メールメッセージの送信者の身元を偽装する行為、俗に言う「なりすまし」は、未承諾広告電子メール、いわゆる「スパム」の送信者に広く使われている戦略だ。このような形の悪用がはびこっているため、電子メールメッセージの「責任を持つ投函者(Responsible Submitter)」表示を検討する必要が大きくなっている。

In this specification, the responsible submitter is the entity most
recently responsible for injecting a message into the e-mail
transport stream.  The e-mail address of the responsible submitter
will be referred to as the Purported Responsible Address (PRA) of the
message.  The Purported Responsible Domain (PRD) is the domain
portion of that address.

本定義中では、「責任を持つ投函者」とは、もっとも最近に電子メール伝送ストリームにメッセージを導入する責を負ったエンティティのことである。「責任を持つ投函者」の電子メールアドレスは、メッセージのPRA(Purported Responsible Address: 責任を持つはずのアドレス)として参照されることになる。PRD(Purported Responsible Domain: 責任を持つはずのドメイン)は、そのアドレスのドメイン部分である。

This specification codifies rules for encoding the purported
responsible address into the SMTP transport protocol.  This will
permit receiving SMTP servers to efficiently validate whether or not
the SMTP client is authorized to transmit mail on behalf of the
responsible submitter's domain.


Broadly speaking, there are two possible approaches for determining
the purported responsible address: either from RFC 2821 [SMTP]
protocol data or from RFC 2822 [MSG-FORMAT] message headers.  Each
approach has certain advantages and disadvantages.


Deriving the purported responsible domain from RFC 2821 data has the
advantage that validation can be performed before the SMTP client has
transmitted the message body.  If spoofing is detected, then the SMTP
server has the opportunity, depending upon local policy, to reject
the message before it is ever transmitted.  The disadvantage of this
approach is the risk of false positives, that is, incorrectly
concluding that the sender's e-mail address has been spoofed.  There
are today legitimate reasons why the Internet domain names used in
RFC 2821 commands may be different from those of the sender of an e-
mail message.


Deriving the purported responsible domain from RFC 2822 headers has
the advantage that validation can usually be based on an identity
that is displayed to recipients by existing Mail User Agents (MUAs)
as the sender's identity.  This aids in detection of a particularly
noxious form of spoofing known as "phishing" in which a malicious
sender attempts to fool a recipient into believing that a message
originates from an entity well known to the recipient.  This approach
carries a lower risk of false positives since there are fewer
legitimate reasons for RFC 2822 headers to differ from the true
sender of the message.  The disadvantage of this approach is that it
does require parsing and analysis of message headers.  In practice,
much if not all the message body is also transmitted since the SMTP
protocol described in RFC 2821 provides no mechanism to interrupt
message transmission after the DATA command has been issued.


